The following was reported [1] on the oss-security mailing list. A proposed patch is noted in that report.
Quassel IRC is vulnerable to SQL injection on all current versions
(0.9.0 being the latest at the time of writing), if used with Qt 4.8.5
(the vulnerability is caused by a change in its postgres driver[2,3])
and PostgreSQL 8.2 or later with standard_conforming_strings enabled
(which is the default in those versions). The vulnerability allows
anyone to trick the core into executing SQL queries, which includes
cascade deleting the entire database. It is tracked upstream in bug
#1244 [4]. It was firstly noticed by due to minor issues with
migration to postgres and problems with certain messages, a simple
test with an unmodified installation of postgres and quassel showed
that it was indeed possible to drop tables.
No upstream fix is available at this time, although the below patch
does fix the current issue.
[1] http://www.openwall.com/lists/oss-security/2013/10/09/7
[2] https://qt.gitorious.org/qt/qtbase/commit/e3c5351d06ce8a12f035cd0627356bc64d8c334a
[3] https://bugreports.qt-project.org/browse/QTBUG-30076
[4] http://bugs.quassel-irc.org/issues/1244